Scribd
Upload
6 views

Create Key to Encrypt the Windows and Linux

The document provides a detailed guide on creating keys to encrypt Windows and Linux servers in Azure at Ericsson, addressing the need for security against unauthorized access. It includes step-by-step instructions for generating keys in Azure Key Vault, enabling disk encryption for both Windows and Linux VMs, and troubleshooting common issues related to encryption. The article also outlines the necessary commands and configurations for successful encryption of OS and data disks.

Uploaded by

rvemulaus
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
6 views

Create Key to Encrypt the Windows and Linux

The document provides a detailed guide on creating keys to encrypt Windows and Linux servers in Azure at Ericsson, addressing the need for security against unauthorized access. It includes step-by-step instructions for generating keys in Azure Key Vault, enabling disk encryption for both Windows and Linux VMs, and troubleshooting common issues related to encryption. The article also outlines the necessary commands and configurations for successful encryption of OS and data disks.

Uploaded by

rvemulaus
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

16/08/2023, 18:01 KBA00263922

SSG : Azure at Ericsson : Create Key to Encrypt the Windows and Linux
Servers
 Knowledge Article KBA00263922

Published Version 1 - 26/08/2021 13:22

Problem
Key requires to secure Servers from untheorized access.

Environment
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Linux OS (RedHat)
Linux (suse 12)
azure at ericsson

Resolution
1. Login to Azure Portal (https://portal.azure.com)
2. Search the Key Vaults
3. Go to Key Vaults and select the Keys.

4. Click on Generate/Import for the new Key.

https://ericsson-smartit.onbmc.com/smartit/app/#/knowledge/AGGB8NLFJQ7EFAQY5S8TQX6VMX7YIY 1/7
16/08/2023, 18:01 KBA00263922

5. If we can set the key expiration date, we can also do, it will be by default for 2 years.

6. After creating the keys, it will show the Current Version, Status and Expiration Date.

In order to resolve the issue please follow the steps:


Windows:
When the VM deployment is complete, select Go to resource.
On the left-hand sidebar, select Disks.
On the top bar, select Additional Settings.
Under Encryption settings > Disks to encrypt, select OS and data disks.
Next, under Encryption settings, choose Select a key vault and key for encryption.
After that, on the Select key from Azure Key Vault screen, select Create New.
Then, to the left of Key vault and key, select Click to select a key.
Next, on the Select key from Azure Key Vault, under the Key Vault field, select Create new or Existing.
Then, on the Access Policies tab, check the Azure Disk Encryption for volume encryption box.
Now, select Review + create.
After the key vault has passed validation, select Create. This will return you to the Select key from Azure Key Vault screen.
Leave the Key field blank and choose Select.
Lastly, at the top of the encryption screen, click Save. A popup will warn you that the VM will reboot. Click Yes

https://ericsson-smartit.onbmc.com/smartit/app/#/knowledge/AGGB8NLFJQ7EFAQY5S8TQX6VMX7YIY 2/7
16/08/2023, 18:01 KBA00263922
Enable Azure Disk Encryption for Windows VMs - Azure Virtual Machines | Microsoft Docs

Linux Server Disks Encryption

By Default, RHEL Encrypted VM Unable to boot because of missing VFAT module error.

Re-enable the VFAT module by commenting out the following entry from the modprobe configuration file:
Look for the file CIS.conf or any other *.conf file inside the /etc/modprobe.d directory
Review the contents of each *.conf file and look for the following line and comment it out or remove it from the configuration file. This line
takes care of blacklisting the VFAT module

# vi /etc/modprobe.d/CIS.conf
# install vfat /bin/true # -> comment out/remove this line

Validate the VFAT entry has been disabled

Check if the vfat module is loaded in the current initramfs if not rebuild the initramfs to include it.
Validate if the VFAT module is loaded in the current initramfs file using the following command. In case it returns nothing, it means the VFAT
module is not loaded

Refer to the below sample output to know how a loaded VFAT module would look like:
# modinfo vfat
filename: /lib/modules/3.10.0- 957.5.1.el7.x86_64/kernel/fs/fat/vfat.ko.xz
author: Gordon Chaffee
description: VFAT filesystem support
license: GPL
alias: fs-vfat
retpoline: Y
rhelversion: 7.6
srcversion: A3254796A3CD9815ABDDC94
depends: fat
If the VFAT module is not loaded into initramfs, proceed to regenerate the initramfs using the following commands:

# cp -rp /boot/initramfs-3.10.0-862.11.6.el7.x86_64.img /boot/initramfs-3.10.0-862.11.6.el7.x86_64.img.bkp


# dracut -f /boot/initramfs-3.10.0-862.11.6.el7.x86_64.img 3.10.0-862.11.6.el7.x86_64
Note: replace the kernel version with the corresponding one.
Validate if the VFAT module is loaded in the current initramfs file using the following command.

https://ericsson-smartit.onbmc.com/smartit/app/#/knowledge/AGGB8NLFJQ7EFAQY5S8TQX6VMX7YIY 3/7
16/08/2023, 18:01 KBA00263922

# modinfo vfat
(In case it returns above output, it means the VFAT module is loaded)

Now we have to Encrypt the OS disk as well as Data disk.


Take the snippet of # df –Th output
Take the backup of /etc/fstab by below command

# cp /etc/fstab /etc/fstab_beforevfatchange.bak
Take the snippet of df –Th output
Detach Data disk first from azure portal for safer side. (Because we are encrypting OS disk first)
Comment disk mount entry in # vi /etc/fstab and save the file by :wq

Generate Azure Key Vault from Portal


Login Azure portal and click on vm name and go to disks and click on Additional settings
Select OS disk and click on select a key.
Create a key vault name as application name for example (avaamokeyvault)
Create a key name as VMname
Select version and then create the key.

Encrypt VM OS disk from Azure Power Shell


Login Azure portal and click on power shell icon next to the search bar.
Set Subscription context by following command

Set-AzContext -Subscription "subscription id"


(Enter VM subscription id here)

Enter Below Script to encrypt OS VM.

$rgName = 'RG-UAT-AVAAMO';
$vmName = 'azweulx0321';
$KeyVaultName = 'avaamokeyvaultuat';
$KeyName = 'azweulx0321';
$KeyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname;
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;
$KEK = Get-AzureKeyVaultKey -VaultName $KeyVaultName -name $KeyName;
$KeyEncryptionKeyUrl = $KEK.Id
$VolumeType = 'OS'
Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $rgname –EnabledForDiskEncryption
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -DiskEncryptionKeyVaultUrl
$diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl
$KeyEncryptionKeyUrl -VolumeType $VolumeType -EncryptFormatAll -SkipVmBackup –Force

Note: replace the resource group/vmname/keyvaultname/keyname with the corresponding one.


OS Disk will take some time to encrypt after successful process. You can check the Encrypted OS disk in Disks settings of VM as SSE with PMK
& ADE and by command

# df -Th

Now We have to encrypt the Data Disk


Check the file system of data disk by # df –Th command if the file system is lvm. VFAT cannot be implemented here.
Here we have to add one more partition same as data disk size and then new partition will be encrypted first.
Check with command # lsblk and see the newly attached volume.

Create partition of new volume by following steps.


# fdisk /dev/sdX (where X is the device you would like to add the partition to)
Type ‘n’ to create a new partition.
(Specify where you would like the partition to end and start. You can set the number of MB of the partition instead of the end cylinder. Press
enter here twice)
Type ‘p’ to create a primary partition. and type ‘w’ to save the partition.
Format the partition by doing: # mkfs.ex4 /dev/sdaX – where X is the number of the partition you have created.
Create a directory where you wish to mount the new drive, for example: /newpartition. # mkdir -p /newpartition
To mount, you can use the following command: # mount /dev/sdaX /newpartition
Check newly mounted partition by # df -Th

Encrypt VM Data Disk from Azure Power Shell


Login Azure portal and click on power shell icon next to the search bar.
Set Subscription context by following command

Set-AzContext -Subscription "subscription id"


(Enter VM subscription id here)

Enter Below Script to encrypt Linux OS VM.

$rgName = 'RG-UAT-AVAAMO';
$vmName = 'azweulx0321';
$KeyVaultName = 'avaamokeyvaultuat';
$KeyName = 'azweulx0321';
$KeyVault = Get-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $rgname;

https://ericsson-smartit.onbmc.com/smartit/app/#/knowledge/AGGB8NLFJQ7EFAQY5S8TQX6VMX7YIY 4/7
16/08/2023, 18:01 KBA00263922
$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;
$KeyVaultResourceId = $KeyVault.ResourceId;
$KEK = Get-AzureKeyVaultKey -VaultName $KeyVaultName -name $KeyName;
$KeyEncryptionKeyUrl = $KEK.Id
$VolumeType = 'ALL'
Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ResourceGroupName $rgname –EnabledForDiskEncryption
Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -DiskEncryptionKeyVaultUrl
$diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyVaultId $KeyVaultResourceId -KeyEncryptionKeyUrl
$KeyEncryptionKeyUrl -VolumeType $VolumeType -EncryptFormatAll -SkipVmBackup –Force

Note: replace the resource group/vmname/keyvaultname/keyname with the corresponding one.


Data Disk will take some time to encrypt after successful process. You can check the Encrypted Data disk in Disks settings of VM as SSE with
PMK & ADE and by command
# df –Th
Now we have vfat enabled in empty disk which we just added. But we have to move data from previous non encrypted disk to new encrypted
disk by adding new volume in lvm.

Run command # lsblk to check the volume id of newly vfat volume and create PV (physical volume)

# pvcreate /dev/mapper/baa012de-7300-49b5-af8e-3f186fa6fd12
Check the status of PV create by # pvs it will show up the size of PV, Now we have to add this PV in VG (volume group). Check the name of
volume group by # vgs

Increase the vg by this command.

# vgextend app_vg /dev/mapper/baa012de-7300-49b5-af8e-3f186fa6fd12


After extending the VG check the vg status by # vgs

Note: replace the volume ID with the corresponding one.


Now we have both disk added in volume group. We have to remove the non-encrypted disk from pv and then we will reduce the volume
group of old disk.

# pvmove /dev/sde && vgreduce app_vg /dev/sde

PV move and VG reduce process will take some time complete. After finishing up this task you can verify the data in Data disk volume and remove
un-encrypted Data disk from Azure portal

Cause
Keys require for encrypt the Windows / Linux Servers.

Resources

Article Metadata
Publish to External Audiences
No

Author
Gopal Khatri

Assigned to
Bharat Kumar Sharma

Next Review Date


17 Aug 2023

Company
All (Primary)

Keywords
Keyvault, Key Encryption, Database Encrption, Disk Encrption, azure at ericsson, Key Creation, azure at Ericsson

Business Service
azure at ericsson

Operational Category
Failure > Break&Fix (Primary)

Product Category
Service > IT Service > Support Service > azure at ericsson (Primary)

https://ericsson-smartit.onbmc.com/smartit/app/#/knowledge/AGGB8NLFJQ7EFAQY5S8TQX6VMX7YIY 5/7
16/08/2023, 18:01 KBA00263922

Attachments
This Article has no attachments

Activity

 Pinkee Nigam made a minor edit to Version 1


4 May 2023 20:35

 Rachit Saxena made a minor edit to Version 1


21 Feb 2023 14:28

 Amit Kumar made a minor edit to Version 1


21 Dec 2022 13:34

 Bharat Kumar Sharma made a minor edit to Version 1


13 Sep 2022 20:32

 Bharat Kumar Sharma made a minor edit to Version 1


13 Jun 2022 12:30

 Bharat Kumar Sharma made a minor edit to Version 1


16 Mar 2022 13:52

 Bharat Kumar Sharma made a minor edit to Version 1


16 Dec 2021 20:49

 Bharat Kumar Sharma made a minor edit to Version 1


16 Dec 2021 20:48

 Raghubir Singh made a minor edit to Version 1


13 Sep 2021 13:19

 Raghubir Singh made a minor edit to Version 1


13 Sep 2021 13:18

 Bharat Kumar Sharma made a minor edit to Version 1


7 Sep 2021 10:15

 BOTPRODIT QualityCheckMOF flagged this article for review: 


1) Resolution steps needs to be numbered properly.
31 Aug 2021 22:50
2 Responses 

Raghubir Singh: KBA document updated.


13 Sep 2021 13:19

Respond to the flag

 Status marked: "Published" by System Generated


27 Aug 2021 12:48

 Status marked: "Publish Approval" by Sushil Kumar


27 Aug 2021 12:48

 Status marked: "Draft" by Sushil Kumar


26 Aug 2021 17:59

 Assigned to Bharat Kumar Sharma by Bharat Kumar Sharma


26 Aug 2021 17:53

 Assigned to Gopal Khatri by Bharat Kumar Sharma


26 Aug 2021 13:29

 Assigned to Bharat Kumar Sharma by Gopal Khatri


26 Aug 2021 13:24

 Status marked: "Work In Progress" by Gopal Khatri


26 Aug 2021 13:22

 New KBA00263922 by Gopal Khatri


26 Aug 2021 13:22

https://ericsson-smartit.onbmc.com/smartit/app/#/knowledge/AGGB8NLFJQ7EFAQY5S8TQX6VMX7YIY 6/7
16/08/2023, 18:01 KBA00263922

https://ericsson-smartit.onbmc.com/smartit/app/#/knowledge/AGGB8NLFJQ7EFAQY5S8TQX6VMX7YIY 7/7

You might also like